Rule S2068: detect hard-coded passwords in web.config files #6182

pavel-mikula-sonarsource · 2022-10-07T13:15:20Z

Contributes to #5427

analyzers/src/SonarAnalyzer.Common/Rules/Hotspots/DoNotHardcodeCredentialsBase.cs

martin-strecker-sonarsource · 2022-10-10T09:14:27Z

analyzers/src/SonarAnalyzer.Common/Rules/Hotspots/DoNotHardcodeCredentialsBase.cs

+            const string UriPasswordSpecialCharacters = Rfc3986_Unreserved + Rfc3986_Pct + Rfc3986_SubDelims;
+            // See https://tools.ietf.org/html/rfc3986 Userinfo can contain groups: unreserved | pct-encoded | sub-delims
+            var uriUserInfoPart = @"[\w\d" + Regex.Escape(UriPasswordSpecialCharacters) + "]+";
+            uriUserInfoPattern = new Regex(@"\w+:\/\/(?<Login>" + uriUserInfoPart + "):(?<Password>" + uriUserInfoPart + ")@", RegexOptions.Compiled);


According to rfc3986 more than one : is allowed in the userinfo. I assume, that the password group should also accept :.

I don't understand the comment. Can you provide more detailed explanation?

I did not really changed anything of this logic, I just moved it to different place

I think this is a valid userinfo that does not match the regex:
https://user:passwordWith:isOkay@example.org/ This is how I read the grammar in the RFC, but I could be mistaken. At least .Net thinks so too sharplab.io

We don't need to extract the full password. So changing it will make the regex more expensive, without affecting the results.

The problem is that the : is not in the <Password> group and because of the trailing @, the regex doesn't match at all. The password group must be "[\w\d" + Regex.Escape(UriPasswordSpecialCharacters) + ":]+".

I'll try in another PR

...s/tests/SonarAnalyzer.UnitTest/TestCases/WebConfig/DoNotHardcodeCredentials/Valid/Web.config

martin-strecker-sonarsource

LGTM. The test for EF6 connection string should be updated to test the interesting case of an &quote; as a delimiter and there are some improvements for the RegEx possible or need a followup PR.

...s/tests/SonarAnalyzer.UnitTest/TestCases/WebConfig/DoNotHardcodeCredentials/Valid/Web.config

sonarcloud · 2022-10-11T15:18:45Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

sonarcloud · 2022-10-11T15:22:05Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

100.0% Coverage
0.0% Duplication

pavel-mikula-sonarsource marked this pull request as draft October 7, 2022 13:15

github-actions bot assigned pavel-mikula-sonarsource Oct 7, 2022

pavel-mikula-sonarsource requested a review from martin-strecker-sonarsource October 7, 2022 14:02

github-actions bot assigned martin-strecker-sonarsource and unassigned pavel-mikula-sonarsource Oct 7, 2022

Base automatically changed from Pavel/RefactorParameters to master October 10, 2022 07:26

martin-strecker-sonarsource requested changes Oct 10, 2022

View reviewed changes

github-actions bot assigned pavel-mikula-sonarsource and unassigned martin-strecker-sonarsource Oct 10, 2022

pavel-mikula-sonarsource added 11 commits October 10, 2022 15:21

Refactor UTs

9bcd7cf

Prepare UTs

380dc51

Add more test cases

f03184d

More tests

29451bd

Simple prototype

890481b

Extract and reuse logic

ac2f226

Add URI test case

44cdf2a

Support XElement

9da0fc2

Fix SecurityHotspotTest

3468dda

Add UT for debug files

61f6399

Review update

67b66c1

pavel-mikula-sonarsource force-pushed the Pavel/S2068-webconfig branch from 5a7d190 to 67b66c1 Compare October 10, 2022 14:02

pavel-mikula-sonarsource requested a review from martin-strecker-sonarsource October 10, 2022 14:44

pavel-mikula-sonarsource marked this pull request as ready for review October 10, 2022 14:44

github-actions bot assigned martin-strecker-sonarsource and unassigned pavel-mikula-sonarsource Oct 10, 2022

martin-strecker-sonarsource reviewed Oct 11, 2022

View reviewed changes

...s/tests/SonarAnalyzer.UnitTest/TestCases/WebConfig/DoNotHardcodeCredentials/Valid/Web.config Show resolved Hide resolved

martin-strecker-sonarsource approved these changes Oct 11, 2022

View reviewed changes

github-actions bot assigned pavel-mikula-sonarsource and unassigned martin-strecker-sonarsource Oct 11, 2022

Add single line UT

5d2573f

pavel-mikula-sonarsource merged commit 19f6fdb into master Oct 12, 2022

pavel-mikula-sonarsource deleted the Pavel/S2068-webconfig branch October 12, 2022 06:45

martin-strecker-sonarsource modified the milestone: 8.47 Oct 18, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rule S2068: detect hard-coded passwords in web.config files #6182

Rule S2068: detect hard-coded passwords in web.config files #6182

pavel-mikula-sonarsource commented Oct 7, 2022

martin-strecker-sonarsource Oct 10, 2022

pavel-mikula-sonarsource Oct 10, 2022

pavel-mikula-sonarsource Oct 10, 2022

martin-strecker-sonarsource Oct 11, 2022

pavel-mikula-sonarsource Oct 11, 2022

martin-strecker-sonarsource Oct 12, 2022

pavel-mikula-sonarsource Oct 12, 2022

pavel-mikula-sonarsource Oct 12, 2022

martin-strecker-sonarsource left a comment •

edited

Loading

sonarcloud bot commented Oct 11, 2022

sonarcloud bot commented Oct 11, 2022

Rule S2068: detect hard-coded passwords in web.config files #6182

Rule S2068: detect hard-coded passwords in web.config files #6182

Conversation

pavel-mikula-sonarsource commented Oct 7, 2022

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

martin-strecker-sonarsource left a comment • edited Loading

Choose a reason for hiding this comment

sonarcloud bot commented Oct 11, 2022

sonarcloud bot commented Oct 11, 2022

martin-strecker-sonarsource left a comment •

edited

Loading